Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgraded from jackson 2.10.5 to 2.10.5.1 -- this helps with a serious v… #554

Merged
merged 1 commit into from
Jan 4, 2021
Merged

Upgraded from jackson 2.10.5 to 2.10.5.1 -- this helps with a serious v… #554

merged 1 commit into from
Jan 4, 2021

Conversation

giuliodambrosio
Copy link
Contributor

…ulnerability

Pull Request Checklist

  • [√] Have you read through the contributor guidelines?
  • [√] Have you signed the Lightbend CLA?
  • [√] Have you squashed your commits?
  • [√] Have you added copyright headers to new files?
  • [√] Have you updated the documentation?
  • [√] Have you added tests for any changed functionality?

Fixes

Fixes #xxxx

Purpose

Upgrade the jackson dependencies to the latest version: mainly in order to import a vulnerability fix for a serious vulnerability: CVE-2020-25649

Background Context

Why did you take this approach?

References

Are there any relevant issues / PRs / mailing lists discussions?

@raboof
Copy link
Member

raboof commented Jan 4, 2021

Thanks for the update!

This could be controversial since jackson 2.10 is not binary compatible with jackson 2.12.

A more conservative option might be to upgrade to 2.10.5.1, which is also not affected.

We'll have to plan to upgrade jackson at some point, though...

@giuliodambrosio
Copy link
Contributor Author

giuliodambrosio commented Jan 4, 2021
edited
Loading

Thanks for the update!

This could be controversial since jackson 2.10 is not binary compatible with jackson 2.12.

A more conservative option might be to upgrade to 2.10.5.1, which is also not affected.

We'll have to plan to upgrade jackson at some point, though...

Sounds good, I'll downgrade to the least version needed to fix that vulnerability (2.10.5.1)

@giuliodambrosio giuliodambrosio force-pushed the jackson-2.10.5-to-2.12.0 branch from 8b7e17f to bc5e840 Compare January 4, 2021 13:08
@raboof raboof changed the title Upgraded from jackson 2.10.5 to 2.12.0 -- this helps with a serious v… Upgraded from jackson 2.10.5 to 2.10.5.1 -- this helps with a serious v… Jan 4, 2021
@giuliodambrosio
Copy link
Contributor Author

So what happens now @raboof ? I don't think I can merge it, can I ?

@raboof
Copy link
Member

raboof commented Jan 4, 2021

So what happens now @raboof ? I don't think I can merge it, can I ?

We first wait for travis to run the tests - I don't expect problems there.

After that the PR can be merged by me (or anyone else with write access), and then we should probably do a release. I'm not sure I've done that before, but judging from https://github.com/playframework/play-json/blob/master/RELEASING.md that seems fairly straightforward, so I might have time to take care of that as well.

@giuliodambrosio
Copy link
Contributor Author

thanks @raboof . Do you have an idea of how long could it take to have this patch released ?

@raboof raboof merged commit fe8d1c3 into playframework:master Jan 4, 2021
@giuliodambrosio giuliodambrosio deleted the jackson-2.10.5-to-2.12.0 branch January 4, 2021 15:16
@raboof
Copy link
Member

raboof commented Jan 4, 2021

https://github.com/playframework/play-json/releases/tag/2.9.2 should be on its way to Maven Central now

@giuliodambrosio
Copy link
Contributor Author

Thank you @raboof , much appreciated !

@ennru ennru mentioned this pull request Jan 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raboof raboof raboof approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@giuliodambrosio @raboof